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AmeTidments to the Claims 
Please amend the claims of the present application as set forth below. 

Claims 1-37 were originally filed. 
Claims 1 - 37 are pending, 

1 . (original) A method for processing a permission set associated with 
a code assembly received from a resource location to control execution of the code 
assembly, the method comprising: 

receiving the permission set including at least one permission associated 
with the code assembly; 

receiving a permission request set in association with the code assembly; 

and 

filtering the permission set based on the permission request set to control 
execution of the code assembly. 

2. (original) The method of claim 1 wherein the filtering operation 
comprises: 

generating a permission grant set from a subset of the permission set, the 
subset specified by the permission request set. 

3. (original) The method of claim 1 wherein the filtering operation 
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comprises: 

computing a logical set operation on the permission set and the pennission 
request set to generate a permission grant set. 

4. (original) The method of claim 1 wherein the pennission request set 
specifies a minimum permission condition and the filtering operation comprises: 

preventmg loading of the code assembly, if the pennission set fails to 
satisfy the minimum permission condition. 

5. (original) The method of claim 1 wherein the permission request set 
specifies a minimum permission condition and the filtering operation comprises: 

preventing execution of the code assembly, if the pennission set fails to 
satisfy the minimum permission condition, 

6. (original) The method of claim 1 fiirther comprising: 

defining a code group collection based on a security policy specification, 
the code group collection including one or more code groups; 

receiving evidence associated with the code assembly; 

evaluating membership of the code assembly in the one or more code 
groups, based on the evidence; and 

generating the permission set based on the membership of the code 
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assembly in the one or more code groups, 

7. (original) The method of claim 1 wherein the permission request set 
specifies a plurality of typed permission request sets* each typed permission 
request set specifying a distinct type of permission preference requested in 
association with the code assembly, 

8, (original) The method of claim 1 wherein the permission request set 
specifies a minimum request set specifying a minimimi set of permissions 
requested in association with the code assembly. 

9. (original) The method of claim 8 wherein the filtering operation 
comprises: 

filtering the permission set based on the minimum requ^t set to generate a 
permission grant set, such that the permission grant set includes a subset of the 
permission set, 

10, (original) The method of claim 8 fiirther comprising: 
preventing loading of the code assembly, if the minimum request set is not a 

subset of the permission set 
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1 1 . (original) The method of claim 8 further comprising: 
preventing execution of the code assembly, if the minimum request set is 

not a subset of the permission set. 

12. (original) The method of claim 1 wherein the permission request set 
specifies an optional request set specifying an optional set of permissions 
requested in association with the code assembly. 

13. (original) The method of claim 12 wherein the filtering operation 
comprises filtering the pemiission set based on the optional request set to generate 
a pennission grant set; and fijrfher comprising: 

executing a first level of code assembly functionality if the optional request 
set is a subset of the pennission grant set; and 

executing a second level of code assembly fimctionality if the optional 
request set is not a subset of the permission grant set 

14. (currently amended) The method of claim 1 wherein the permission 
request set specifies a refuse request set specifying a set of one or more 
permissions to be omitted from a permission grant set [[in]] associated with the 
code assembly* 
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1 5 . (original) The method of claim 14 wherein the filtering operation 
comprises: 

omitting the set of one or more permissions specified by the refuse request 
set firora the permission grant set. 

16 (original) The method of claim 1 wherein the permission request set 
includes an optional request set specifying an optional set of permissions requested 
in association with the code assembly and a minimum request set specifying a 
minimum set of permissions requested in association with the code assembly, and 
wherein the filtering operation comprises: 

computing a union of the optional request set and minimum request set to 
provide a maximum request set; and 

computing an intersection of the maximum request set and the pennission 

set 

17. (original) The method of claim 1 6 wherein the permission request 
set further specifies a refuse request set specifying a set of one or more 
pennissions to be omitted firom a permission grant set in associated with the code 
assOTibly, and wherein the filtering operation further comprises: 

subtracting the set of one or more permissions specified in the refuse 
request set from the intersection of the maximum request set and the pemiission 



Lee & Hayes, pllc 7 msm874us 

PA(S8/26*RCVDAT9f17/20(l42:07:1/ra[EasternDaylig^^ 



SEP 17 2004 12:10 FR LEE AND HAYES -PLLC 3035390271 TO 1703872930S P. 09/26 



2 
3 
4 
5 
6 
7 
& 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
72 
23 
24 
25 



set. 



18. (original) The method of claim 1 Avherein tb^ operation of receiving 
a permission request set comprises: 

receiving the permission request set and the code assembly in a single 
network communication. 

19. (original) The method of claim 1 wherein the operation of receiving 
a permission request set comprises: 

retrieving the permission request set in a network communication distinct 
from a network communication in which the code assembly is received. 

20. (original) A policy manager module for processing a permission set 
associated with a code assembly received from a resource location to control 
execution of the code assembly, the policy manager module comprising: 

a filter receiving the permission set and a permission request set associated 
with the code assembly and filtering the permission set based on the permission 
request set to control execution of the code assembly. 

2 1 « (original) The policy manager module of claim 20 further 
comprising: 



Lee a Hayes, pllc 8 MSi.i874US 

PAGE 9/26 ' RCVD AT 9/17/2004 2:07:17 PM [Eastern Daylight Time] ' SVR:USPT0-EFXRF-1/5 ' DNIS:8729306 ' CSID:3035390271 ' DURATION [mm-ss):05-58 



SEP 17 2004 12:10 FR LEE RND HPYES -PLLC 3035390271 TO 17038729306 P.10/2& 

V 



1 
2 
3 
4 
5 
6 
7 
8 
9 
10 

n 
12 

n 

14 

15 

16 
17 
18 
19 
20 
21 
22 
23 
24 
25 



a permission set generator receiving an evidence set and generating a 
permission set in association with the code assembly, based on the evidence set. 

22. (original) The policy manager module of claim 20 wherein the filter 
generates a permission grant set from a subset of the permission set specified by 
the permission request set. 

23. (original) The policy manager module of claim 20 wherein the filter 
computes a logical set operation on the permission set and the permission request 
set to generate a permission grant set. 

24. (original) The policy manager module of claim 20 wherein the filter 
prevents loadmg of the code assembly, if the permission set fails to satisfy the 
minimum permission condition. 

25. (original) The policy manager module of claim 20 wherein the filter 
prevents execution of the code assembly, if the permission set fails to satisfy the 
minimum permission condition. 

26. (original) The policy manager module of claim 20 wherein the 
permission request set specifies a plurality of typed permission request sets^ each 
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typed pennission request set specifying a distinct type of permission preference 
requested in association with the code assembly. 

27. (original) The policy manager module of claim 20 wherein the 
pennission request set specifies a minimum request set specifying a minimum set 
of pemiissions requested in association with the code assembly. 

28. (original) The policy manager module of claim 20 wherein the 
permission request set specifies an optional request set specifying an optional set 
of permissions requested in association with the code assembly. 

29. (original) The policy manager module of claim 20 wherein the filter 
generates a permission grant set omitting one or more permissions specified in a 
refuse request set. 

30. (original) The policy manager module of claim 20 wherein the 
permission request set specifies an optional request set specifying an optional set 
of permissions requested in association with the code assembly and a minimum 
request set specifying a minimum set of permissions requested in association with 
the code assembly, and wherein the filtering operation comprises: 

computing a union of the optional request set and minimum request set to 
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provide an maximum request set; and 

computing an intersection of the maximum request set and the peraiission 

set. 

3 1 - (original) The policy manager module of claim 20 wherein the filter 
generates a permission grant set based on an optional request set, the permission 
grant set being associated with a first level of code assembly functionality if the 
optional request set is a subset of the permission grant set and being associated 
with a second level of code assembly functionality if the optional request set is not 
a subset of the permission grant set 

32. (original) The policy manager module of claim 20 further 
comprising: 

a code group collection generator creating a code group collection based on 
a security policy specification, the code group collection including one or more 
code groups; 

a membership evaluator determining membership of the code assembly in 
the one or more code groups, based on evidence associated with the code 
assembly; and 

a permission set generator creating the permission set based on the 
membership of the code assembly in the one or more code groups* 
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33, (original) A computer data signal embodied in a carrier wave by a 
computing system and encoding a computer program for executing a computer 
process processing a peraiission set associated with a code assembly received from 
a resource location to control execution of the code assembly, the computer 
process comprising: 

receiving the permission set including at least one permission associated 
with the code assembly; 

receiving a permission request set in association with the code assembly; 

and 

filtering the permission set based on the permission request set to control 
execution of the code assembly, 

34. (original) A computer program storage medium readable by a 
computer system and encoding a computer program for executing a computer 
process processing a permission set associated with a code assembly received from 
a resource location, the computer process comprising: 

receiving the permission set including at least one permission associated 
with the code assembly; 

receiving a peraiission request set in association with the code assembly; 

and 
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filtering the permission set based on the permission request set to control 
execution of the code assembly. 

35. (original) A computer program product encoding a computer 
program for executing on a computer system a computer process processing a 
permission set associated with a code assembly received from a resource location 
to control execution of the code assembly, the computer process comprising: 

. defining a code group collection based on a security policy specification, 
the code group collection including one or more code groups; 

receiving evidence associated with the code assembly; 

evaluating membership of the code assembly in the one or more code 
groups, based on the evidence; 

generating the permission set based on the membership of the code 
assembly in the one or more code groups; 

receiving the pemiission set including at least one permission associated 
with the code assembly; 

receiving a permission request set in association with the code assembly; 

and 

computing a logical set operation on the permission set and the permission 
request set to generate a permission grant set 
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36. (original) The computer program product of claim 35 wherein the 
permission request set includes an optional request set specifying an optional set of 
permissions requested in association with the code assembly and a mmimum 
request set specifying a minimum set of permissions requested in association with 
the code assembly, and wherein the filtering operation comprises: 

computing a union of the optional request set and minimum request set to 
provide a maximum request set; and 

computing an intersection of the maximum request set and the permission 

set 

37, (original) The computer program of claim 36 wherein the 
permission request set further specifies a refuse request set specifying a set of one 
or more permissions to be omitted from a permission grant set in associated with 
the code assembly, and wherein the filtering operation further comprises: 

subtracting the set of one or more permissions specified in the refuse 
request set from the intCTsection of the maximum r^uest set and the permission 
set. 
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